CYBRI mobile penetration testing can help your company reduce the risk of a mobile application breach, improve mobile security, and achieve compliance.

Positive Technologies stated in their Vulnerabilities and Threats in Mobile Applications 2019 Report, “hackers love targeting mobile devices, which are rich with personal data and payment card information. Our results indicate that developers of mobile applications often neglect security.”

Other report highlights include:

  • High-risk vulnerabilities were found in 38 percent of mobile applications for iOS and in 43 percent of Android apps.
  • Insecure data storage was identified as the most common vulnerability. This flaw was found in 76 percent of mobile apps and, in some cases, could enable hackers to steal passwords, financial information, personal data, and correspondence.
  • Hackers seldom need physical access to a smartphone to steal data: 89 percent of vulnerabilities can be exploited using malware.
  • Most cases were caused by weaknesses in security mechanisms (74% and 57% for iOS and Android apps, respectively, and 42% for server-side components).
It’s not a myth that mobile application developers are generally experts in their domain and code, but they are rarely security experts.

Overview

Mobile applications are prone to many forms of security vulnerabilities and require a different setup and approach than web applications do. CYBRI’s mobile application security testing (MAST) uses a blend of static application security testing (SAST), dynamic application security testing (DAST), and forensic techniques to locate mobile-specific issues and vulnerabilities in the mobile application code. Our Red Team conducts manual testing of your mobile apps in areas such as authentication, code quality, cryptography, file analysis, data storage, reverse engineering, and network communications.

Mobile App Security

According to Comscore’s 2019 Global State of Mobile Report, mobile apps continue to outpace desktop apps. Cybercriminals view mobile as the holy grail in obtaining credential access — with the potential to open doors into data centers, cloud accounts, and ultimately your companies infrastructure.

The Top 10 OWASP Mobile Risks

M1: Improper Platform Usage

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

M2: Insecure Data Storage

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

M3: Insecure Communication

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

M4: Insecure Authentication

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

M5: Insufficient Cryptography

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

M6: Insecure Authorization

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

M7: Client Code Quality

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

M8: Code Tampering

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

M9: Reverse Engineering

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

M10: Extraneous Functionality

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Methodologies & Scope

Conducting a mobile application penetration test allows businesses to analyze security within their mobile apps to gain essential knowledge inside the mobile environment. CYBRI’s Red Team utilizes static source code review across major mobile operating systems (Android and iOS) to analyze strengths and weaknesses and pinpoint application flaws and vulnerabilities. In addition, the team then dives deeper into the application via dynamic analysis by looking at how the app runs on the mobile device, checking for secure data storage, app operations, and network communications.

Mobile App Testing Phases

1- Planning Phase

— Information Gathering

  • Define the scope.
  • Search for any publicly available information about the target mobile application
  • Mapping: Determine functionality and workflow
  • Inventory permissions

2 - Testing Phase

— Conduct Mobile Exploitation Activities

  • Authorization: Examine role privilege enforcement and attempt to bypass auth restriction.
  • Data: Identify and inventory stored data and encryption.
  • Information Disclosure: Examine log files and cache stores

3 - Reporting Phase

  • Details on vulnerabilities found, the methodology used, and locations where the problems exist.
Throughout the testing phase, clients have access to all discoveries and can ask questions at any time. After the completion of the testing, there is a question and answer session to help internal teams understand and mitigate all discovered vulnerabilities.

Mobile App Pen Testing Features and Benefits

Mobile app penetration testing can identify vulnerabilities and threats in your smartphone applications before cybercriminals do.

Features of our pen testing services include:

  • On-demand testing
  • Team collaboration
  • Data-rich dashboards
  • Clean reports
  • Historical data analysis
  • Remediation tracking

Benefits of our pen testing services:

  • Uncover vulnerabilities in mobile apps
  • Test the effectiveness of your defenses
  • Spot mistakes made by developers
  • Discover bugs in existing applications

Why Choose CYBRI for Your Next Mobile App Penetration Test?

The CYBRI Red Team conducts mobile application pen testing of both general application and mobile-dedicated attack simulations. Our experts will identify application logic weaknesses (targeting OWASP Mobile Top 10 vulnerabilities), and provide code review for both Android and iOS mobile applications.

CYBRI Blue Box Technology

We developed our own Blue Box technology, so that collaboration between your organization and our experts is transparent and seamless.

Blue Box features include data-rich dashboards, clean reports, remediation tracking, on-demand testing, and historical data analysis.

Our Red Team experts + CYBRI Blue Box technology won’t let mobile app security threats go undetected.